Leaky Mobile Apps: What You Need to Know
1 like2,633 views
The document discusses the significant security risks associated with mobile applications, emphasizing that 25% of tested apps have serious vulnerabilities. It outlines various attack vectors and real-world examples of data breaches, highlighting the lack of effective security measures and awareness among users. Recommendations are provided for improving mobile security, including regular updates and the use of two-factor authentication.
Leaky Mobile Apps: What You Need to Know
- 1. Leaky mobile apps: What you need to know July 19th, 2017
- 2. About Me • Jon Porter of House NowSecure - Mobile app security software company • Enthusiast of Mobile Security / Senior SE • BA Comp Sci / MS Info Sec • Solver of the Rubik’s Cube(s) • Drinker of 1000 beers (1229 to be exact)
- 3. • The mobile security problem • The state of mobile app security • 3-part mobile exploit demo • What can we do about it? Agenda
- 6. SPENDING MORE TIME WITH MOBILE APPS THAN DESKTOPS Source: Comscore by way of Benedict Evans
- 7. PRESSING MOBILE SECURITY ISSUES • Apps are vulnerable and leaking data • Lack of administrative access to devices • Complex ecosystem ◦ OEMs ◦ OS developers, carriers • Innovation outpaces security practices • Legacy security strategies are ineffective (“bolted on”) Typical security defenses fail in mobile se4ngs because they protect boundaries rather than the informa7on itself, and mobile users do not respect tradi7onal boundaries. Gartner
- 8. VULNERABILITIES IN ANDROID AND IOS Life[me Android CVEs by type (130 in 2015) Life[me iOS CVEs by type (375 in 2015) Source: CVE DetailsSource: CVE Details
- 9. MOBILE DATA IS VALUABLE AND A MARKET FOR COMPROMISE EXISTS • Governments ◦ Legi[mate need ◦ Legal framework ◦ Willingness to pay for it • Hacking Team weaponizes mobile security flaws for surveillance • Zerodium ◦ Sells zero-day exploits ◦ Offers $1 million for iOS jailbreaks • Malicious actors willing to pay ◦ Oppressive regimes ◦ Rogue states
- 10. THE ULTIMATE SURVEILLANCE TOOL? Apps can: • Read precise loca[on • Read phone logs • Read SMS • Record audio • Use camera • Start on boot • Connect to Internet
- 13. Source - 2016 NowSecure Mobile Security Report 25% of mobile apps have at least one high risk security or privacy flaw
- 14. HIGH RISK ISSUES EXIST WITHIN EACH APP CATEGORY Source - 2016 NowSecure Mobile Security Report Gaming apps: Business apps: Social apps: 1.5x 3x 4x more likely to include a high risk vulnerability more likely to leak login creden[als more likely to leak login creden[als or email address
- 15. HIGH RISK ISSUES IN APPS WITH MORE THAN 1M DOWNLOADS Source - 2016 NowSecure Mobile Security Report
- 16. LEAKY APPS AND SOCIAL ENGINEERING Source - 2016 NowSecure Mobile Security Report • Informa[on leaked can prove valuable to akackers • Reconnaissance for targeted social engineering schemes • E.g., creden[als leaked by a produc[vity app ◦ Might grant an akacker access to a cache of sensi[ve informa[on ◦ Usernames ◦ GPS loca[on ◦ Unlock other sensi[ve informa[on about a user
- 17. EXAMPLES
- 18. Remote Akack Surface • Vungle provides in-app video adver[sing • App library serves >200M ads each month • Remote code execu[on • Data about the device and the user from the app EXAMPLE: “Vungle products provide necessary infrastructure for app mone7za7on through video ads. More than 200 million people worldwide see Vungle ads each month.”
- 20. Remote Akack Surface • SDK downloads a zip file over hkp without TLS or verifica[on • Create a .dex file that contains code you want to execute • Add the .dex to the requested zip file, modify the network response and, you can gain remote code execu[on EXAMPLE: “An integrated mobile adver7sing plaEorm enabling adver7ser to op7mize ad efficiency and app developer to acquire the highest media benefit. “ DEX
- 21. ADLIBR SCALE
- 22. POPULAR APP USING ADLIB • A network-based akacker can modify traffic to gain control of the device due to a flaw in Adlibr SDK • The akacker can access current app data, world accessible data and chain with an exploit to gain elevated permissions
- 23. SAMPLE DATA LEAKED (HTTP) • Many ad networks send data in clear, including geoloca[on • ID derived from hardware can be tracked across [me and loca[ons • App pkg is iden[fied, enabling akacker to find target imei=352584060111000 mac=f8:a9:c2:4f:f3:80 androidid=88c8584b54bd9c00 serial=062f2dfb344be87b conn=wifi country=US dm=Nexus+5 dv=Android4.4.2 lat=41.83720397949219 long=-87.9613037109375 mcc=310 mnc=410 mmdid=mmh_AC78B68BD2E528CC0FC78AFB342E58CF _9099A5181F956FCAFB4AC9946DF71CCACB322F59 root=0 pkid=com.ismaker.android.simsimi pknm=SimSimi plugged=true sdkversion=5.1.0-13.08.12.a ua=Dalvik%2F1.6.0+ %28Linux%3B+U%3B+Android+4.4.2%3B+Nexus+5+ Build%2FKOT49H%29
- 24. DATA DESTINATIONS Destination address IP Country ad.adlibr.com 211.236.244.152 KR ad.doubleclick.net 173.194.33.156 US ads.mp.mydas.mobi 216.157.12.18 US adtg.widerplanet.com 117.52.90.81 KR androidsdk.ads.mp.mydas.mobi 211.110.212.68 KR ajax.googleapis.com 74.125.28.95 US androidsdk.ads.mp.mydas.mobi 216.157.12.18 US app.simsimi.com 54.235.200.56 US astg.widerplanet.com 117.52.90.85 KR bank81.mi.ads.mp.mydas.mobi 216.157.13.15 US capp.simsimi.com 174.129.197.187 US cdn.millennialmedia.com 96.17.8.146 US d.appsdt.com 52.6.198.255 US dcys-en.ijinshan.com 114.112.93.204 CN landingpages.millennialmedia.co m 216.157.12.21 US mtab.clickmon.co.kr 114.207.113.177 KR once.unicornmedia.com 192.33.167.222 US rtax.criteo.com 74.119.117.100 US
- 26. DEMO
- 27. PART 1: CRITICAL VULNERABILITY IN PRE-INSTALLED KEYBOARD ON SAMSUNG DEVICES • Combining CVE-2015-4640 and CVE-2015-4641 • Execute arbitrary code in a privileged context • Result: silently execute malicious code on target device • Es[mated impact: 600 million devices DEMO
- 28. PART 2: INSTALLING A MALICIOUS APPLICATION • Silently installed using the previous exploit • Communicates device/user data to a C&C server • Even if removed, can be reinstalled by the akacker • The UI is just for demo purposes, and would not be required if using this in the wild DEMO
- 29. PART 3: EXPOSING LEAKY APPS • Escalate to root privilege using another exploit • Use the root permission to look for vulnerable applica[on (or all applica[ons) • Compress and send the data back to the C&C server DEMO
- 31. TIPS FOR SECURING YOUR MOBILE DEVICE 1. Update your opera[ng system and apps when new versions are available. 2. Add a passcode, PIN, or pakern lock. 3. Use different passwords for sites and apps. 4. Logout of your applica[ons. 5. Only download apps from the official App Store and Google Play. 6. Use two-factor user iden[fica[on when available. 7. Know what data is being collected by applica[ons.
- 32. OTHER FREE RESOURCES 1. Secure Mobile Dev Best Prac[ces 2. Mobile App Security Program Management Handbook 3. Mobile Banking Applica[ons: Security Challenges for Banks 4. Mobile Incident Response E-book SPONSORED OPEN SOURCE PROJECTS 1. Frida - inject JavaScript to explore na[ve apps on Windows, macOS, Linux, iOS, Android, and QNX 2. Radare - complete framework for reverse-engineering and analyzing binaries